Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,230 --> 00:00:01,900 ‫So very quick lecture, but if you wanted 2 00:00:01,900 --> 00:00:05,700 ‫to migrate an EC2 instance from one AZ to another, 3 00:00:05,700 --> 00:00:07,880 ‫well the way you would do it is using an AMI. 4 00:00:07,880 --> 00:00:10,130 ‫So, in this example, we want to migrate our EC2 instance 5 00:00:10,130 --> 00:00:13,630 ‫from us-east-1a to us-east-1b, in which case, first 6 00:00:13,630 --> 00:00:17,420 ‫we take an AMI from our EC2 instance and then restore 7 00:00:17,420 --> 00:00:21,680 ‫that AMI into a new EC2 instance, in a different AZ 8 00:00:21,680 --> 00:00:24,310 ‫which by default will have the same data 9 00:00:24,310 --> 00:00:26,160 ‫and the same file system and the same applications 10 00:00:26,160 --> 00:00:28,730 ‫because the AMI was taken from the original one. 11 00:00:28,730 --> 00:00:31,960 ‫So, that's it super simple to see, but good to know. 12 00:00:31,960 --> 00:00:34,370 ‫And if you want to see this, well, the AMI here 13 00:00:34,370 --> 00:00:37,660 ‫my instance is in eu-central-1c, okay? 14 00:00:37,660 --> 00:00:40,010 ‫And an image was taken from it. 15 00:00:40,010 --> 00:00:41,080 ‫And so what I can do is 16 00:00:41,080 --> 00:00:45,500 ‫that I can launch an image from this AMI module to micro 17 00:00:45,500 --> 00:00:48,050 ‫and then here I'm able to select a specific AZ 18 00:00:48,050 --> 00:00:50,690 ‫so, a specific subnet, and it could be for example 19 00:00:50,690 --> 00:00:53,220 ‫this one to have it in eu-central-1b 20 00:00:53,220 --> 00:00:54,790 ‫and then I would be good to go. 21 00:00:54,790 --> 00:00:56,860 ‫So, let's say for this lecture, I hope you liked it 22 00:00:56,860 --> 00:00:59,420 ‫and I will see you in the next lecture. 23 00:00:59,420 --> 00:01:01,910 ‫Okay, so now let's talk about cross account AMI sharing. 24 00:01:01,910 --> 00:01:03,260 ‫That means that you're sharing your AMI 25 00:01:03,260 --> 00:01:04,830 ‫with another AWS account. 26 00:01:04,830 --> 00:01:06,570 ‫In this case, when you share an AMI 27 00:01:06,570 --> 00:01:08,760 ‫it does not affect the ownership of the AMI, 28 00:01:08,760 --> 00:01:10,040 ‫you still have it, okay? 29 00:01:10,040 --> 00:01:12,660 ‫And you can share an AMI for in two cases. 30 00:01:12,660 --> 00:01:15,360 ‫Number one, if the volume is unencrypted 31 00:01:15,360 --> 00:01:17,240 ‫and that means you can share it with another account 32 00:01:17,240 --> 00:01:21,040 ‫or even share the AMI publicly, or if it's encrypted 33 00:01:21,040 --> 00:01:24,790 ‫it has to be encrypted with your own customer managed key 34 00:01:24,790 --> 00:01:27,420 ‫and we'll see the process for that as well. 35 00:01:27,420 --> 00:01:29,460 ‫If you are sharing the, what I mean is 36 00:01:29,460 --> 00:01:31,740 ‫that if you're sharing the AMI with an encrypted volume 37 00:01:31,740 --> 00:01:34,490 ‫that means that you need to share any key that is attached 38 00:01:34,490 --> 00:01:35,730 ‫to that volume as well 39 00:01:35,730 --> 00:01:37,600 ‫that was used to encrypt and decrypt that volume 40 00:01:37,600 --> 00:01:40,510 ‫otherwise the targeted account cannot use your volume. 41 00:01:40,510 --> 00:01:42,700 ‫So, let's take an example, a simple one. 42 00:01:42,700 --> 00:01:43,640 ‫We have account A 43 00:01:43,640 --> 00:01:47,260 ‫and this is an unencrypted AMI in your source accounts 44 00:01:47,260 --> 00:01:49,610 ‫and you're just going to share it with account B. 45 00:01:49,610 --> 00:01:52,470 ‫And then the account B can launch directly 46 00:01:52,470 --> 00:01:56,310 ‫an EC2 instance from that source AMI, very simple. 47 00:01:56,310 --> 00:01:58,090 ‫Now, if you add KMS encryption 48 00:01:58,090 --> 00:02:00,860 ‫we have the same use case, but this time your AMI 49 00:02:00,860 --> 00:02:03,940 ‫is actually encrypted with your CMK-A, okay? 50 00:02:03,940 --> 00:02:05,990 ‫And what you're going to do is that you're going to share 51 00:02:05,990 --> 00:02:08,250 ‫this AMI with your account B 52 00:02:08,250 --> 00:02:10,610 ‫but also you're going to share the KMS key. 53 00:02:10,610 --> 00:02:11,780 ‫Okay, your CMK. 54 00:02:11,780 --> 00:02:14,120 ‫And you're going to give permissions to the target accounts 55 00:02:14,120 --> 00:02:17,460 ‫to describe the key to decrypt to re-encrypt and so on. 56 00:02:17,460 --> 00:02:19,280 ‫And this will allow the target accounts 57 00:02:19,280 --> 00:02:20,950 ‫to launch your custom AMI, 58 00:02:20,950 --> 00:02:22,450 ‫even though it was encrypted 59 00:02:22,450 --> 00:02:25,250 ‫with a key from your accounts, okay? 60 00:02:25,250 --> 00:02:27,670 ‫Next, you can have the cross account AMI copy. 61 00:02:27,670 --> 00:02:29,450 ‫So, you have sharing and copying. 62 00:02:29,450 --> 00:02:32,260 ‫If you copy an AMI that has been shared with your accounts 63 00:02:32,260 --> 00:02:35,670 ‫you are then the owner of the target AMI in your accounts. 64 00:02:35,670 --> 00:02:37,730 ‫That means that the owner of the source AMI must grant you 65 00:02:37,730 --> 00:02:40,620 ‫the read permissions for the storage that backs the AMI. 66 00:02:40,620 --> 00:02:43,330 ‫So, the EBS snapshots, so it's a bit more involved. 67 00:02:43,330 --> 00:02:45,690 ‫So, account B now has the permission to read 68 00:02:45,690 --> 00:02:48,300 ‫the EBS snapshots behind the AMI. 69 00:02:48,300 --> 00:02:50,950 ‫So, it can run a copy image, API call 70 00:02:50,950 --> 00:02:54,450 ‫which will copy the source AMI into its own accounts. 71 00:02:54,450 --> 00:02:56,280 ‫And in the process, for example 72 00:02:56,280 --> 00:02:58,630 ‫you can encrypt the snapshot if you wanted to 73 00:02:58,630 --> 00:02:59,740 ‫with your own keys. 74 00:02:59,740 --> 00:03:01,290 ‫And as we'll see in the next slide 75 00:03:01,290 --> 00:03:03,330 ‫if the shared AMI is an encrypted snapshot 76 00:03:03,330 --> 00:03:05,700 ‫the owner must share the encrypted key 77 00:03:05,700 --> 00:03:07,740 ‫or keys with you as well. 78 00:03:07,740 --> 00:03:10,630 ‫And you can encrypt the AMI with your own CMK while copying 79 00:03:10,630 --> 00:03:13,130 ‫So, let's have a look if we have KMS encryption 80 00:03:13,130 --> 00:03:14,130 ‫in this example. 81 00:03:14,130 --> 00:03:17,680 ‫So, we are sharing the underlying EBS snapshot 82 00:03:17,680 --> 00:03:20,210 ‫and we still give KMS key permissions 83 00:03:20,210 --> 00:03:22,210 ‫to the target accounts, okay? 84 00:03:22,210 --> 00:03:23,637 ‫And the target accounts can issue 85 00:03:23,637 --> 00:03:27,420 ‫a copy command to, for example, re-encrypt the EBS snapshot 86 00:03:27,420 --> 00:03:31,440 ‫by decrypting it using the CMK-A that was given access to 87 00:03:31,440 --> 00:03:34,740 ‫and re-encrypt it with CMK-B and its own accounts 88 00:03:34,740 --> 00:03:37,410 ‫which will give a custom AMI that will be owned 89 00:03:37,410 --> 00:03:39,030 ‫by the target account B 90 00:03:39,030 --> 00:03:41,500 ‫with its own encryption mechanism, okay? 91 00:03:41,500 --> 00:03:44,740 ‫So, that's it for how AMI copy and sharing works. 92 00:03:44,740 --> 00:03:46,820 ‫So, if you have an AMI, what you can do 93 00:03:46,820 --> 00:03:48,310 ‫as you can see is that 94 00:03:48,310 --> 00:03:52,060 ‫if this AMI was shared with you, you could copy that AMI 95 00:03:52,060 --> 00:03:54,610 ‫and this would let you get your own copy of the AMI, 96 00:03:54,610 --> 00:03:57,240 ‫regardless of the sharing options afterwards. 97 00:03:57,240 --> 00:03:59,580 ‫Or if you take that AMI itself 98 00:03:59,580 --> 00:04:02,070 ‫you can have a look at the permissions in here 99 00:04:02,070 --> 00:04:03,800 ‫and you can edit these permissions. 100 00:04:03,800 --> 00:04:08,200 ‫So, what you would do is action, edit AMI permissions. 101 00:04:08,200 --> 00:04:10,260 ‫And in here you have multiple options. 102 00:04:10,260 --> 00:04:13,437 ‫So, if your AMI was private 103 00:04:13,437 --> 00:04:16,370 ‫it could be encrypted or unencrypted 104 00:04:16,370 --> 00:04:19,680 ‫or if it was unencrypted, you could make it public, okay? 105 00:04:19,680 --> 00:04:23,320 ‫And you have people around the world that can use your AMI 106 00:04:23,320 --> 00:04:25,140 ‫so, be careful with that. 107 00:04:25,140 --> 00:04:28,120 ‫Also, if you, it was private and you want to share it 108 00:04:28,120 --> 00:04:31,360 ‫with specific accounts organizations or OUs 109 00:04:31,360 --> 00:04:34,910 ‫then you would allow here to add account ID's 110 00:04:34,910 --> 00:04:36,400 ‫and you enter the account ID's. 111 00:04:36,400 --> 00:04:38,760 ‫If you wanted to share with individual accounts 112 00:04:38,760 --> 00:04:41,470 ‫or if you wanted to share with an entire organization 113 00:04:41,470 --> 00:04:46,470 ‫or OUs then you would add the Org/ARN or the OU ARN, okay? 114 00:04:47,780 --> 00:04:49,990 ‫And finally, when you do a sharing 115 00:04:49,990 --> 00:04:54,050 ‫you can click here to add the create volume permission 116 00:04:54,050 --> 00:04:55,170 ‫to the associated snapshots 117 00:04:55,170 --> 00:04:56,827 ‫when creating account permissions. 118 00:04:56,827 --> 00:04:58,480 ‫And this would allow the other accounts 119 00:04:58,480 --> 00:05:01,610 ‫to use your AMI at will, okay? 120 00:05:01,610 --> 00:05:02,640 ‫So, that's it for this lecture. 121 00:05:02,640 --> 00:05:03,740 ‫I hope you liked it. 122 00:05:03,740 --> 00:05:05,690 ‫And I will see you in the next lecture. 10277